PPE acquisition used as bait in global phishing scheme

By Derek B. Johnson

May 07, 2020

Individuals linked to a Nigerian cybercriminal group conducted a broad business email compromise campaign in the first quarter of the year that included healthcare organizations responding to the coronavirus outbreak as targets, according to new research released May 8 from Palo Alto Networks.

The report prepared by Unit 42, Palo Alto Networks' threat intelligence arm, said the phishing campaigns hit a number of organizations in the government and healthcare sectors in the United States and other countries, though none were apparently successful in infecting those organizations.

The researchers observed three different groups and a number of individual actors under SilverTerrier – the name Unit 42 uses to cover more than 480 individuals and groups it tracks for malign cyber activity -- launch at least 10 such campaigns, and the company discovered at least 170 malicious emails from the group across its customer base.

The campaigns became increasing complex over time, as hackers sent malware hidden in Word or Excel documents that purported to be from health departments, the United Nations and businesses involved in the PPE supply chain. A number of malicious documents claimed to relate to supply chain data about Personal Protective Equipment like masks. In late March, researchers say a number of unnamed government agencies within the U.S. were targeted with similar phishing email lures.

Pete Renals, the Principal Researcher at Unit 42 and primary author of the report, told FCW via email that at least two federal agencies received emails as well as two state governments, though he declined to identify them further. While all the activity in the report is attributed to SilverTerrier, there are varying degrees of connection between the individual actors.

"We associate [them] as a single group because our attribution efforts have discovered that many of the actors are within one or two degrees of separation from each other," Renals said in response to FCW questions.

Business email compromise (BEC) has grown to become a multibillion-dollar business for cyber criminals in recent years. Earlier this month, the FBI issued a warning about an increase in observed BEC scams targeting U.S. municipalities attempting to purchase personal protective equipment to deal with the outbreak.

The SilverTerrier attacks targeted a broad array of sectors, including government healthcare agencies, utilities, medical publishing firms and insurance companies in the U.S., U.K., Australia, Italy, and Canada.

The research tracks with much of what the broader cybersecurity community has observed since the pandemic began and it's not just criminal groups that have stepped up their activities. the Cybersecurity and Infrastructure Security Agency and its U.K. counterpart issued an advisory May 5 warning that state-backed Advanced Persistent Threat groups are "actively targeting organizations involved in both national and international COVID-19 responses" including healthcare entities, pharmaceutical companies, medical research organizations, local governments and academia. The agencies are investigating multiple password spraying campaigns and believe those many of the groups to steal medical research data intellectual property and intelligence on national and international policy related to the virus for the benefit of their state patrons.

Threat intelligence firm FireEye said its own independent research backs up those assertions and they have detected intrusion activity against a number of organizations involved in pandemic response efforts.

"We believe intelligence services throughout the world are under enormous pressure to collect intelligence on COVID-19, and we anticipate a full court press on organizations involved in public health administration, research, manufacturing, and treatment related to the pandemic," said John Hultquist, the company's director of intelligence analysis, in a statement.

There was initially some thought that cybercrime groups might back off targeting organizations directly involved in COVID-19 responses, with one such outfit even publicly pledging not to set their sights on hospitals and other healthcare organizations. That hope has given way to reality as many groups have realized the desperate straits many healthcare organizations find themselves in make them too distracted to defend against cyberattacks and more likely to pay up when hit with ransomware tools.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.